MFA Enrollment Order - Precedence of Factors

Problem statement

When using MFA Enrollment, why does one factor have precedence over another, and can the order be changed? For example, with factors like Push Notifications and TOTP, the first precedes the second one, so the user will be enrolled with Push Notification.

Steps to reproduce

  1. Choose two or more factors
  2. Set policy to “Always”
  3. Log in

Solution

A security assessment by our teams determined the order of precedence for MFA. This order can be changed by using Actions. Inserting a code like this one will offer users OTP first and then Push Notification:

challengeWith({type:'otp'}, additionalFactors: [{type:'push'}])